Solving Random Subset Sum Problem by lp -norm SVP
Oracle ?
Gengran Hu, Yanbin Pan and Feng Zhang
Key Laboratory of Mathematics Mechanization, NCMIS,
Academy of Mathematics and Systems Science, Chinese Academy of Sciences
Beijing 100190, China
[email protected], [email protected], [email protected]
Abstract. It is well known that almost all random subset sum instances with density
less than 0.6463... can be solved with an l2 -norm SVP oracle by Lagarias and Odlyzko.
Later, Coster et al. improved the bound to 0.9408... by using a different lattice. In
this paper, we generalize this classical result to lp -norm. More precisely, we show
that for p ∈ Z+ , an lp -norm SVP oracle can be used to solve almost all random
subset sum instances with density bounded by δp , where δ1 = 0.5761 and δp =
1/( 21p log2 (2p+1 − 2) + log2 (1 + (2p −1)(1−( 1 1 )(2p −1) ) ))) for p ≥ 3(asymptotically,
2p+1 −2
δp ≈ 2p /(p + 2)). Since δp goes increasingly to infinity when p tends to infinity, it
can be concluded that an lp -norm SVP oracle with bigger p can solve more subset
sum instances. An interesting phenomenon is that an lp -norm SVP oracle with p ≥ 3
can help solve almost all random subset sum instances with density one, which are
thought to be the most difficult instances.
Keywords: SVP, random subset sum problems, lattice, lp -norm.
1
Introduction
Lattices are discrete subgroup in Rn and have many important applications in both cryptanalysis and cryptographic constructions. Many lattice-based cryptographic primitives have
been presented, such as the public-key cryptosystems [1, 2, 21, 9, 11], the digital signature
scheme NTRUSign [12] and the fully homomorphic encryption [8]. Usually, the securities of
these schemes can be based on the hardness of some lattice problems, like SVP (the shortest
vector problem). SVP refers to finding a shortest non-zero vector in a given lattice and is
one of the most famous computational problems of lattice. Many famous algorithms are
proposed to solve SVP, including the famous LLL algorithm [14]. These algorithms can also
be used to attack knapsack-based public-key cryptosystems (See [15] for more details).
The knapsack problem, or the subset sum problem (SSP), is a well-known NP-hard
problem. It asks to choose some elements in a given set such that the sum of these elements
is exactly equal to a given number. When all of the elements of the set are uniformly random
?
This work was supported in part by the NNSF of China (No.11071285, No.11201458, and
No.61121062), in part by 973 Project (No. 2011CB302401) and in part by the National Center for Mathematics and Interdisciplinary Sciences, CAS.
2
Gengran Hu, Yanbin Pan, Feng Zhang
over some set, it comes to the random subset sum problem (RSSP), which is also a significant
computational problem.
The hardness of RSSP is still not clear. However, it seems that there is a very close relationship between the hardness of RSSP and its density. When the density is large enough, it
can be solved via dynamic programming. When the density is small enough, it can be solved
by LLL algorithm [15]. In [13], Impagliazzo and Naor showed that the hardest instances of
RSSP lie in those with density equal to 1.
Some relations between SVP and RSSP have been exploited. In 1985, Lagarias and
Odlyzko [15] showed that the l2 -norm SVP oracle can be used to solve almost all random
subset sum instances with density bounded by 0.6463 when the size of the subset sum
instance is large enough. Later, Coster et al. [5] improved this bound to 0.9408. However, it
is a long standing open problem to solve the RSSP instances with density 1 using the lattice
l2 -norm SVP oracle.
In this work, we give a very interesting result that any lp -norm SVP oracle (p > 2) can
help to solve the RSSP with density 1 efficiently. More precisely, if p ∈ Z+ , an lp -norm SVP
oracle can be used to solve almost all random subset sum instances with density bounded
by δp = 1/( 21p log2 (2p+1 − 2) + log2 (1 + (2p −1)(1−( 1 1 )(2p −1) ) ))). It is easy to see that δp
2p+1 −2
goes increasingly to infinity as p tends to infinity, which implies that an lp -norm SVP oracle
with bigger p can solve more subset sum instances. Especially, an l∞ -norm SVP oracle can
solve all the subset sum instances, which coincides with the deterministic reduction from
subset sum problem to l∞ -norm SVP. It seems that the hardness of lp -norm SVP increases
as p gets bigger. However, in practice, the existing SVP algorithms are mostly in l2 -norm,
even the lp -norm SVP algorithm in [6] uses the MV algorithm(an l2 -norm SVP algorithm
in [18]) as a starting point.
In fact, it is well known that the l∞ -norm SVP is NP-hard under deterministic reduction,
whereas SVP for other norms are proved to be NP-hard under only probabilistic reductions
(see [3, 17, 19]). In addition, Regev and Rosen [22] proved for any ² > 0, l2 -norm SVP1+²
can be probabilistically reduced to lp -norm SVP for all 1 ≤ p ≤ ∞ which showed that the
l2 -norm SVP1+² is easiest. Unfortunately, reduction from exact l2 -norm SVP to lp -norm
SVP has still not been found.
We would like to point out that if RSSP can be proved to be NP-hard, then by our
result, we can prove lp -norm SVP (p > 2, p ∈ Z+ ) is NP-hard under probabilistic reduction.
Such a reduction will be more simple and clear, compared to the previous reductions.
Moreover, as a byproduct, we give an upper bound of the number of the integer points
in an lp ball, which is shown to be very nice for p ≥ 3.
Roadmap. The remainder of the paper is organized as follows. In Section 2, we give some
preliminaries needed. In Section 3, we describe our probabilistic reduction from random subset sum problem to lp -norm SVP in details. Finally, we give a short conclusion in Section
4.
Solving Random Subset Sum Problem by lp -norm SVP Oracle
2
3
Preliminaries
We denote by Z the integer ring. We use bold letters to denote vectors. If v ∈ Rn is a
vector, then
Pn we denote by vi the i-th entry of v. Let kvkp be the lp norm of v, that is,
kvkp = ( i=1 |vi |p )1/p .
2.1
Lattice
Given a matrix B = (bij ) ∈ Rm×n with rank n, the lattice L(B) spanned by the columns of
B is
n
X
L(B) = {Bx =
xi bi |xi ∈ Z},
i=1
where bi is the i-th column of B. We call m the dimension of L(B) and n its rank.
Definition 1 (lp -norm SVP). Given a lattice basis B, the lp -norm SVP asks to find a
nonzero vector in L(B) with the smallest lp -norm.
2.2
Random Subset Sum Problem
Pn
Given a = (a1 , a2 , . . . , an ) distributed uniformly in [1, A]n and s = i=1 ei ai where e =
(e1 , e2 , . . .P
, en ) ∈ {0, 1}n , RSSP refers to finding some c = (c1 , c2 , . . . , cn ) ∈ {0, 1}n such
n
that s = i=1 ci ai without knowing e. Notice that the solution c may not be the original
e.
The density of these ai ’s is defined by
n
.
d=
log2 (A)
It was shown by Lagarias and Odlyzko [15] that almost all the subset sum problem with
density less than 0.6463 . . . would be solved in polynomial time with a single call to an oracle
that can find the shortest vector in a special lattice. Later, Coster et al. [5] improved the
bound to 0.9408 . . . by finding a shortest nonzero vector with an l2 -norm SVP oracle in the
following lattice spanned by the columns of


1
1
0 ... 0
2
1 
 0
1 ... 0
2 

 ..
..
..
..  ,
 .
.
.
. 


1 
 0
0 ... 1
2
N a1 N a2 . . . N an N s
where N is a big enough integer.
2.3
Estimation of the Combinatorial Number
By Stirling’s Formula, we have the following estimation for the combinatorial number,
µ ¶
∼
αn
= O(2αH(β/α)n ),
βn
∼
where H(x) = −x log2 x − (1 − x) log2 (1 − x) and O(f (n)) = O(f (n) ∗ poly(log(f (n)))).
4
Gengran Hu, Yanbin Pan, Feng Zhang
3
3.1
Solving Random Subset Sum Problem by lp -norm SVP Oracle
The Upper Bound of the Number of Integer Points in an lp -Ball
We first give some results about the number of the integer points in an lp -ball, that is,
1
#{x ∈ Zn+1 |kxkp ≤ 21 (n + 1) p }.
Theorem 1 For all n ≥ 1,
– If p = 1 and n large enough,
1
n} ≤ 2c1 n ,
2
#{x ∈ Zn |kxk1 ≤
where c1 = 1.7357.
– If p = 2,
#{x ∈ Zn |kxk2 ≤
1√
n} ≤ 2c2 n ,
2
#{x ∈ Zn |kxkp ≤
1 p1
n } ≤ 2cp n ,
2
where c2 = 1.0628.
– If p ≥ 3 and p ∈ Z+ ,
where cp ≈
1
2p
log2 (2p+1 − 2) + log2 (1 +
1
2p −1 ).
Proof. We will prove the theorem in three cases.
– p = 1:
For simplicity, we assume n is even (the case when n is odd is similar). Let R(m, n) ,
#{x ∈ Zn , x has m nonzero entries | kxk1 ≤ 12 n}, then
#{x ∈ Zn |kxk1 ≤
n/2
X
1
n} =
R(m, n).
2
m=0
¡ n ¢ Pn/2 ¡ j−1 ¢
¡ ¢¡ ¢
m n n/2
It is easy to know that R(m, n) = 2m m
j=m m−1 = 2
m
m . Assume R(mn , n) =
maxR(m, n), then #{x ∈ Zn |kxk1 ≤ 12 n} ≤ 12 n(R(mn , n)). Noticing that
m
R(m + 1, n)/R(m, n) =
=
¡
¢¡
n
n/2
m+1 m+1
¡ n ¢¡n/2¢
2m m
m
2m+1
¢
(n − m)(n − 2m)
(m + 1)2
is decreasing with respect to m, we have
½
R(mn , n)/R(mn − 1, n) ≥ 1,
R(mn + 1, n)/R(mn , n) ≤ 1,
Solving Random Subset Sum Problem by lp -norm SVP Oracle
which implies that
½
5
mn ≤ 0.381966n + 0.658359,
mn ≥ 0.381966n − 0.828427,
since mn ≤ n/2. We obtain mn ≈ 0.381966n. Thus, we have the bound
µ
¶µ
¶
1
0.5n − 1
n
1
#{x ∈ Zn |kxk1 ≤ n} ≤ n20.381966n
.
2
2
0.381966n − 1 0.381966n
Using the estimation
#{x ∈ Zn |kxk1 ≤
¡αn¢
βn
∼
= O(2αH(β/α)n ), finally we have for n large enough
∼
∼
1
n} = O(20.381966n+0.39422n+0.9594187n ) = O(21.7356047n ) ≤ 21.7357n .
2
– If p = 2:
It has been proven in Section 3 in [5].
– If p ≥ 3 and p ∈ P
Z+ :
p
∞
Let θ(z) = 1 + 2 i=1 z i and rn (k) be the number of integer solutions to
n
X
|xi |p = k.
i=1
Then
(θ(z))n =
∞
X
rn (k)z k .
k=0
For all x > 0, we have
#{x ∈ Zn |kxkp ≤
1 p1
1
n } = #{x ∈ Zn |kxkpp ≤ p n}
2
2
X
=
rn (k)
k≤ 21p n
X
≤
1
rn (k)e 2p nx e−kx
k≤ 21p n
≤
∞
X
1
rn (k)e 2p nx e−kx
k=0
1
= e 2p nx
∞
X
rn (k)e−kx
k=0
=e
Let
fp (x) =
We have
#{x ∈ Zn |kxkp ≤
1
2p
nx
(θ(e−x ))n .
1
x + ln θ(e−x ).
2p
1 p1
n } ≤ efp (x)n = 2(log2 e)fp (x)n
2
6
Gengran Hu, Yanbin Pan, Feng Zhang
holds for all x > 0.
So we only need to compute minfp (x). It is difficult to give the exact value of minfp (x).
x>0
x>0
Next we give an upper bound for minfp (x).
x>0
Noticing that
fp (x) =
p
p
p
p
1
1
x + ln θ(e−x ) = p x + ln(1 + 2e−1 x + 2e−2 x + 2e−3 x + · · · + 2e−k x + · · · ),
2p
2
we define
lp (x) ,
1
x + ln(1 + 2e−x )
2p
and
p
p
p
p
1
x + ln(1 + 2e−x + 2e−2 x + 2e−(2 +2 −1)x + · · · + 2e−((k−1)2 −(k−2))x + · · · )
2p
1
2e−x
= p x + ln(1 +
).
2
1 − e−(2p −1)x
up (x) ,
When p ≥ 1, the difference sequence (2p − 1p , 3p − 2p , 4p − 3p , · · · ) is not decreasing,
then for k ≥ 2,
2e−k
p
x
= 2e−x(1+(2
p
−1p )+(3p −2p )+···+(kp −(k−1)p ))
≤ 2e−x(1+(2
p
−1p )+(2p −1)+···+(2p −1))
= 2e−((k−1)2
p
−(k−2))x
So we have
lp (x) ≤ fp (x) ≤ up (x)
holds for all x > 0, which implies
minlp (x) ≤ minfp (x) ≤ minup (x).
x>0
x>0
x>0
Because lp (x) takes the minimum
lp (x0 (p)) =
at
1
1
ln(2p+1 − 2) + ln(1 + p
)
2p
2 −1
x0 (p) = ln(2p+1 − 2)
and
up (x0 (p)) =
1
1
ln(2p+1 − 2) + ln(1 + p
),
p
2
(2 − 1)(1 − ( 2p+11 −2 )(2p −1) )
we have an interval estimate [lp (x0 (p)),
up (x0 (p))] for minfp (x) since
x>0
lp (x0 (p)) = minlp (x) ≤ minfp (x) ≤ minup (x) ≤ up (x0 (p)).
x>0
x>0
x>0
Taking cp = log2 e · up (x0 (p)), the result for p ≥ 3 follows.
Solving Random Subset Sum Problem by lp -norm SVP Oracle
7
We would like to point out that 2cp n is a very nice estimation of the number of integer
1
points in the lp ball {x ∈ Zn |kxkp ≤ 12 n p } for p ≥ 3. In fact, we can easily have an
asymptotic rough lower bound for the number of integer points by just considering those
vectors in the ball with exactly 21p n entries in {−1, 1} and other entries equal to 0. The
¡ ¢
1
1
1
total number of such vectors is 2 2p n · 1pnn , which is approximately equal to 2(H( 2p )+ 2p )n .
2
Hence for p ∈ Z+ and n large enough, we have
#{x ∈ Zn |kxkp ≤
1 p1
n } ≥ 2kp n ,
2
1
1
where kp = p+1
2p − (1 − 2p ) log2 (1 − 2p ). Interestingly, we find that kp is exactly the total
lower bound log2 e · lp (x0 (p)) obtained above.
The table below gives the values of lp (x0 (p))(= ln 2 · kp ) and up (x0 (p)) for p from three
to ten.
p
3
4
5
6
7
8
9
10
lp 0.4634 0.2771 0.1607 0.0913 0.0511 0.2827 0.0155 0.0084
up 0.4634 0.2771 0.1607 0.0913 0.0511 0.2827 0.0155 0.0084
It can be seen that up (x0 (p)) is a very good estimation of minfp (x), since for p ≥ 3,
x>0
lp (x0 (p)) and up (x0 (p)) are nearly the same. Similarly, 2cp n is a very nice estimation of the
number of integer points in the lp ball for p ≥ 3, since the upper bound and the lower bound
are also nearly the same. In fact, the asymptotic forms for lp (x0 (p)) and up (x0 (p)) are the
same:
p+2
p+2
lp (x0 (p)) ≈ ln 2 · p , up (x0 (p)) ≈ ln 2 · p .
2
2
3.2
Solving Random Subset Sum Problem by lp -norm SVP Oracle
To solve the subset sum problem defined by ai (1 ≤ i ≤ n) and s, we consider the lattice
L(B) generated by the columns of B where


1
1
0 ... 0
2
1 
 0
1 ... 0
2 

 ..
..
..
.. 
 .
.
.
. 
B=
,
1 
 0
0
.
.
.
1

2 
1 
 0
0 ... 0
2
N a1 N a2 . . . N an N s
1
and N > 12 (n + 1) p is an positive integer. Notice that our lattice is a little different from
Coster et al.’s, which leads a more simple reduction. The additional row in the lattice basis
matrix can bound the last integer coefficient more tightly(see section 3 of [5] for more
details).
Any x = (x1 , x2 . . . xn , xn+1 , xn+2 )T ∈ L(B) can be written as

1

(i = 1, 2 . . . n)
xi = wi + 2 w
1
(1)
xn+1 = 2 w

Pn

xn+2 = N ( i=1 wi ai + ws)
8
Gengran Hu, Yanbin Pan, Feng Zhang
with all the wi ’s and w in Z.
For any solution e of the subset problem, taking wi = ei , w = −1, we get L(B) contains
0
0
0
0
a corresponding lattice vector e = (e1 . . . en , − 21 , 0) with ei = ei − 12 ∈ {− 21 , 12 }. Obviously,
1
0
ke kp = 12 (n + 1) p .
On the other hand, it is easy to know that any y = (y1 , y2 . . . yn , yn+1 , yn+2 )T ∈ L(B)
of the form

1
1

yi ∈ {− 2 w, 2 w} (i = 1, 2 . . . n)
yn+1 = − 12 w


yn+2 = 0
where w ∈ Z\{0} yields an solution (y1 − 12 , y2 − 12 , · · · , yn − 21 ) of the RSSP. Thus, we define
the solution set of the subset sum instance
1
1
Sn = { w(y1 , y2 . . . yn , − , 0)T | |yi | = , w ∈ Z\{0} }.
2
2
0
Then ±e ∈ Sn .
By querying the lp -norm SVP oracle with L(B), we get a non-zero shortest vector x. If
x ∈ Sn , then we can recover one solution of the RSSP. So the failure possibility is at most
0
P = Pr(∃x ∈ L(B) s.t. 0 < kxkp ≤ ke kp
,x ∈
/ Sn ).
1
p
0
1
For x ∈ L(B) with kxkp ≤ ke kp = 21 (n+1) , x ∈
/ Sn , we have xn+2 = 0 since N > 12 (n+1) p ,
which implies
n
X
wi ai + ws = 0.
(2)
i=1
If w is odd, then x ∈
/ Zn+2 and |xi | ≥ 21 for i = 1, 2 . . . n + 1 by (1). Noticing that kxkp ≤
1
1
1
p
2 (n + 1) , we must have |xi | = 2 and w = ±1, which means x ∈ Sn in this case.
n+2
Thus w is even and x ∈ Z
. Using xi = wi + 21 w and xn+1 = 12 w, together with (2),
we have
n
n
X
X
xi ai + 2xn+1 s − xn+1
ai = 0.
i=1
i=1
As a result, the above probability P can be bounded as
1
1
/ Sn )
(n + 1) p , x ∈
2
1
1
≤ Pr(∃x ∈ Zn+1 s.t. 0 < kxkp ≤ (n + 1) p ,
2
n
n
X
X
xi ai + 2xn+1 s − xn+1
ai = 0, (xT , 0)T ∈
/ Sn )
P = Pr(∃x ∈ L(B) s.t.
i=1
n
X
≤ Pr(
0 < kxkp ≤
i=1
n
X
xi ai + 2xn+1 s − xn+1
i=1
· #{x ∈ Zn+1
ai = 0 : 0 < kxkp ≤
i=1
1
1
| kxkp ≤ (n + 1) p }.
2
1
1
(n + 1) p , (xT , 0)T ∈
/ Sn )
2
Solving Random Subset Sum Problem by lp -norm SVP Oracle
For any solution e, we have s =
n
X
Pn
i=1 ei ai .
9
Taking zi = xi + 2xn+1 ei − xn+1 , we get
xi ai + 2xn+1 s − xn+1
n
X
i=1
ai = 0 ⇐⇒
i=1
n
X
zi ai = 0.
i=1
So we have
n
X
P ≤ Pr(
zi ai = 0,
(xT , 0)T ∈
/ Sn ) · #{x ∈ Zn+1
|
kxkp ≤
i=1
1
1
(n + 1) p }.
2
We next show that there exists a j s.t. zj 6= 0. For contradiction, if all zj = 0, then
1
xj = (1 − 2ej )xn+1 . Hence |xj | = |xn+1 | since ej ∈ {0, 1}. By 0 < kxkp ≤ 12 (n + 1) p , we
know that 0 < xj < 21 , which contradicts that xj ’s are integer. So there exists a j s.t. zj 6= 0.
P
0
Let z = − i6=j zi ai /zj , then
n
n
X
X
Pr(
zi ai = 0, (xT , 0)T ∈
/ Sn ) = Pr(
zi ai = 0, zj 6= 0)
i=1
i=1
0
= Pr(aj = z )
=
A
X
0
0
0
Pr(aj = z |z = k) · Pr(z = k)
k=1
=
A
X
0
Pr(aj = k) · Pr(z = k)
k=1
A
=
0
1 X
Pr(z = k)
A
k=1
1
≤ .
A
Now we obtain
P ≤
1
1
1
· #{x ∈ Zn+1 |kxkp ≤ (n + 1) p }.
A
2
(3)
By Theorem 1, we can bound P as
P ≤
2cp (n+1)
2cp (n+1)
= (n/d)
A
2
When d < 1/cp , δp , P is exponentially small on n, meaning almost all random subset sum
instances with density less than δp can be solved by lp -norm SVP oracle. Hence we get the
following theorem.
Theorem 2 For p ∈ Z+ and large enough n, let A be a positive integer, ai (1 ≤ i ≤ n) be
independently uniformly random integers between 1 and A, e = (e1 , e2 , · · · , en ) be arbitrary
10
Gengran Hu, Yanbin Pan, Feng Zhang
Pn
non-zero vector in {0, 1}n , and s = i=1 ai ei . If the density



0.5761, p = 1
n
< δp = 0.9408, p = 2
d=

log2 A

1/( 21p log2 (2p+1 − 2) + log2 (1 + (2p −1)(1−(
1
p
1
)(2 −1) )
2p+1 −2
))), p ≥ 3
(4)
then with probability exponentially close to 1, the subset sum problem defined by ai (1 ≤ i ≤ n)
and s can be solved in polynomial time with a single call to an lp -norm SVP oracle.
The table below gives the values of δp for p from one to ten.
p
1
2
3
4
5
6
7
8
9
10
δp 0.5761 0.9408 1.4957 2.5013 4.3127 7.5907 13.564 24.521 44.750 82.302
We also plot the ten log2 δp ’s values in the following picture.
7
First ten log2δp’s
Density=1(log2density=0)
6
5
log2density
4
3
2
1
0
−1
1
2
3
4
5
6
7
8
9
10
p
Roughly speaking, the asymptotic form for δp is 2p /(p + 2). It’s easy to see that the
upper bound δp will go increasingly to infinity when p tends to infinity, which implies that
an lp -norm SVP oracle with larger p will help to solve more random subset sum problems.
Another interesting phenomenon is that we can solve the RSSP with density one with the
lp -norm SVP oracle with p ≥ 3 but we can not solve them with l2 -norm SVP oracle by now.
It seems that the hardness of lp -norm SVP is not decreasing as p gets larger.
4
Conclusion
In this paper, we generalize the classical probabilistic reduction from random subset sum
problem to l2 -norm SVP to the case for lp -norm. For any p ∈ Z+ , we can use an lp -norm
Solving Random Subset Sum Problem by lp -norm SVP Oracle
11
SVP oracle to solve almost all random subset sum problem with density bounded by δp .
Since δp increases as p gets bigger, an lp -norm SVP oracle with larger p will help to solve
more random subset sum problems. Moreover, an lp -norm SVP oracle with p ≥ 3 can help
solve almost all random subset sum instances with density one, which are thought to be the
most difficult instances.
Acknowledgement. We thank the anonymous referees for putting forward their excellent
suggestions on how to improve the presentation of this paper.
References
1. Ajtai, M.: Gennerating hard instances of lattice problems. In: STOC 1996, pp. 99-108. ACM
Press, New York(1996)
2. Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In:
STOC 1997, pp. 284-293. ACM Press, New York(1997)
3. Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions(extended
abstract). In: 30th Annual ACM Symposium on Theory of Computing, pp. 266-275. ACM
Press, New York (1998)
4. Babai, L., On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica,
6(1): pp. 1-13. Springer, Heidelberg(1986)
5. Coster, M.J., Joux, A., Lamacchia, B.A., Odlyzko, A.M., Schnorr, C.P., Stern, J.: An improved
low-density subset sum algorithm. Computational Complexity. 2, 111-128(1992)
6. Dadush, D., Peikert, C., Vempala, S.: Enumerative lattice algorithms in any norm via M ellipsoid coverings. In: FOCS 2011, pp. 580-589. IEEE Computer Society Press(2011)
7. Frieze, A.M.: On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM J. Comput.
18, 550-558(1989)
8. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169-178.
ACM Press, New York(2009)
9. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic
constructions. In: STOC 2008, pp. 197-206. ACM Press, New York(2008)
10. Goldreich, D., Micciancio, D., Safra, S., Seifert, J.P.: Approximating shortest lattice vectors is
not harder than approximating closest lattice vectors, Information Processing Letters. 71(2),
55-61(1999)
11. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A Ring-Based Public Key Cryptosystem. In:
Buhler, J.P.(eds.) Proceedings of Algorithmic Number Theory. LNCS, vol. 1423, pp. 267-288.
Springer-Verlag(1998)
12. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J., Whyte, W.: NTRUSign: Digital
Signatures Using the NTRULattice. In: CT-RSA 2003. LNCS, Vol. 2612, pp. 122-140. SpringerVerlag(2003)
13. Impagliazzo, R., Naor, M.: Efficient Cryptographic Schemes Provably as Secure as Subset Sum,
Journal of Cryptology. 9, 199-216(1996)
14. Lenstra, A.K., Lenstra, H.W.Jr., Lovasz, L.: Factoring polynomials with rational coefficients,
Mathematische Annalen. 261, 513-534 (1982)
15. Lagarias, J.C., Odlyzko, A.M.: Solving low-density subset sum problems. J. Assoc. Comp. Mach.
32(1), 229-246(1985)
16. Lyubashevsky, V., Micciancio, D., Peikert, C., Swifft, A.R.: A modest proposal for fft hashing.
In: Fast Software Encryption (FSE) 2008. LNCS, pp. 54-72. Springer-Verlag(2008)
12
Gengran Hu, Yanbin Pan, Feng Zhang
17. Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptography Perspective,
Kluwer Academic Publishes(2002)
18. Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice
problems based on Voronoi cell computations. In: STOC 2010. pp. 351-358. ACM Press, New
York(2010)
19. Micciancio, D.: Inapproximability of the Shortest Vector Problem: Toward a Deterministic
Reduction. Theory of Computing. 8(1), 487-512(2012)
20. Regev, O.: Lattices in computer science. Lecture notes of a course given in Tel Aviv University(2004)
21. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC
2005, pp. 84-93. ACM Press, New York(2005)
22. Regev, O., Rosen, R.: Lattice problems and norm embeddings. In: STOC 2006, pp. 447-456.
ACM Press, New York(2006)